CVE Catalog

CVE-2026-42076

Critical
Published: Translated: NVD NIST

Summary

Evolver is an AI self-evolving engine that prior to version 1.69.3 had a command injection vulnerability in the _extractLLM() function. This allows attackers to execute arbitrary shell commands on the server due to improper handling of parameters.

Risk Assessment

This vulnerability poses a serious risk to server security, enabling remote code execution by attackers. It could lead to system takeover or data leakage.

Recommendation

It is recommended to upgrade to version 1.69.3 or later to mitigate this vulnerability. Additionally, implementing proper input sanitization mechanisms is advisable.

Original NVD description (English source)

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS